Getting started in the security field [books, resources, advice]

Re: Getting started in the security field

i can understand why companies use certs as a measurement of what you walk through the door with to a degree, but my personal delema has always been in the fact that there no "cert" for "hacking.

i.e. as a rather young guy (22), id like to think that offering 3rd party pen-testing services isn't out of my reach when it comes to at least small time stuff (like say for example a coffee shop in my area wants to run customer wifi over the same internet connection as there atm system and wants to make sure the system they have in place is working. ), but how do i know? at what point should i say "this job is too big for me" and back off.

if somebody called me up tomorrow and said i would like to test my website for security holes and i say yes, at what point can i say "yea, you are secure", as apposed to "well i couldn't crack it but that doesn't mean somebody out there can't".

how do i quantify what i know against others when it comes to hacking in such a fashion that i can say my knowledge is "professional" level and not just "guru" level?

Re: Getting started in the security field

If you are doing pen test work you should never tell them 'yea, you are secure.' There is no such thing. There is always someone else out there that can crack what you can't. You have to take a pen test in conjunction with a risk assessment and let your client know the score.

Re: Getting started in the security field

yeah, i recall hearing a story one time about Marc Tobias sitting with some corporate executive and getting on the topic of pen testing / security assessment. The executive asked Marc what he charges or something for a secuirty assessment and report... and, if i was told correctly, Marc replied that it varies a lot depending on the size of the job, but he would do a free remote assessment for just the cost of a drink.

"A remote assessment?" the guy asked, sounding impressed and looking at the laptop on the table between them. "Sure," he said and bought another round. Instead of reaching for his laptop or asking any details about the company's IP addresses, etc. Marc just sat for a second and possibly looked up or drummed his fingers on the tabletop. "OK, i'm done," he replied moments later. "Your network is alright but it's certainly far from totally secure. Your users don't use strong passwords and they leave them around written on post-it notes. Your IT staff has at least one piece of hardware that is configured with defaults from long, long ago when your first guy was hired and you have at least one rouge AP that some dickhead plugged in under his desk, if not more."

Funny part is, that's a pretty safe bet in terms of being accurate 9 times out of 10, i'd wager.

Re: Getting started in the security field

I posted on the first page of this thread on how I wanted to get into the Security field of IT work. I think it is going to happen now. Even though I am a full time student (thanks to my wife), I have been looking around for a part time job, only applying to one place since I only want to do something in this field.

I am very lucky. I found a company that consults in PCI DSS only. The job ad was for a "scanner" and it sounded very interesting to me. Although I am not anywhere near the capability of everyone here, this will be a good first step for me.

Tomorrow I am going to another meeting with this company because after the third interview, they told me they were not giving me the job, but instead want me to create my position. So going on what was discussed, I came up with an idea. In a nutshell, I am going to present to them how they can extend the amount of effort they put into "Defense In Depth".

I was replying to you Deviant Ollam because the situation you described is the kind of work this company does, but not without real truth behind it :)

Re: Getting started in the security field

Hahaha. That story made my day.

Re: Getting started in the security field

like i say... it's just what i heard. and while i didn't catch it firsthand, it surely seems like the sort of accurate and straightforward yet irreverently-witty remark that Tobias would make.

Re: Getting started in the security field

Today was the day for my final meeting with the company I am trying to get a security position at. I spent about a week of about 20 hours on a PP presentation to kind of solidify the reason why I should be hired, but moreso the position creation.

I am happy to say that I was hired and without even having to show the PP presentation. I am amazed to be honest. For this job, timing was everything. Much of the content on this forum has been really helpful to me. Thank you all!

Re: Getting started in the security field

Hey there. I am going back to college working on earning an Associates degree in Networking. I work at an ISP who frowns on security conferences. Something tells me that I'll be switching it up to security really soon now.

Wanted to say thanks to everyone who posted on here. Lots of good stuff.

Right on Samurai! I hope it works.

Re: Getting started in the security field

Don't take this the wrong way, but that is a total lack of intelligence with that approach. But I am not surprised about it.



Thanks! It is so far and I am really enjoying it. Everyone here has been helpful and continues to be. Good luck to you as well!

Re: Getting started in the security field

Seriously, I don't get it, either. However, I also have to explain to them the difference between real hackers and people who are the ones who propagate viruses through email. My mom summed it up: between hackers and criminals.

Re: Getting started in the security field

But there are likely hackers that are also criminals just as there are hackers that are feds, and maybe hackers that are feds and criminals (even if a criminal in *another* country.)

Re: Getting started in the security field

Have you noticed the trend in Fed sponsored hacking? WestPoint cadets are bused to Shmoocon, many universities now offer programs in Information Security Awareness and there are fed sponsored computer security conferences.

If you'd like Fed credentials, the DHS actually certifies the Information Security programs of a dozen or so Universities. The list is at dhs.gov

Also, from Infosec's mailing list today:
"The FBI has chosen the National Center for Supercomputing Applications
at the University of Illinois at Urbana-Champaign to host a new law
enforcement cybersecurity research center."

Is this official, legitimate recognition a sign that everybody has grown up?

-mouse

Re: Getting started in the security field

Realistically, though, this isn't necessarily a bad thing. Most government agencies that have had some responsibility in the security arena have traditionally fallen into one of two camps: completely awesome or truly fucking awful. Unfortunately, the latter has been somewhat prevalent: due to the institutionalised nature of most government positions, they don't really encourage moving beyond one's current skill set. The end result is that you end up with a pool of technically-mediocre people trying to deal with concepts and technologies that are beyond their view and understanding of the security arena. If this can be improved by sending government employees to civilian-sector training, so much the better.

One distinction that's important to make here, though, is the one between agencies, groups, or departments tasked with securing or cracking communications, and those who investigate and prosecute illegal activities. While there's some blur between the two, the differences between them are quite pronounced and as a result should be looked at individually.

Nope - more that the government has finally realised that this is an area that very much falls under the category of 'national defence', and that it moves at a far faster pace than traditional defence-sector industries do. Not to mention that there is no direct control that they can exercise over its development in either the threat or response fields, so getting people out into the 'real' world is crucial for ensuring that they are able to properly perform the job they're tasked with.

Re: Getting started in the security field

Yes, I agree. I don't think of it as bad at all, just a sign of the times. And, also agreed forensic analysis is not the same as cryptanalysis or pen testing.

It isn't just training, it is also research into new defensive and offensive technologies.
Usenix Security just sponsored it's first ever workshop on Offensive tech (WOOT), because there is interest and money there.
It is interesting to note that while CS -and all science - research is starving, there is a great deal of gov't funding available for any CS project that can be directly (and sometimes indirectly) related to security. However, the money does come with strings, which can include having to have permission before publishing. (I have personal exp. with this)

Re: Getting started in the security field

Hello,
I've read this thread with attention and find it very interesting.
I have a non-tech job but studied networking at an associate level in 2005.
That was more for challenge than for professional purpose as I had very few and less experience in IT.
I feel concerned about computer security as a daily user and the only IT literate of the company..
What do you think about EC-Council certs?
When I look at the outlines it sounds to be quite a serious program for pen-testers and white hats.
I'd like to go deeper in the understanding of computers and networks.
I didn't do it my professional way for many reasons but wanted to change after attending the networking courses.
In your opinion, is it possible to progress while being busy in another field and having only free time to do so?
Thanks forward